2.11.

L FS n S e q u e n c e s 43

E xam ple. Let

p = 24G72462467892469787 and q = 396736894567834589803,

n = 9788470140853110794168855217413715781961.
Take x = 873245647888478349013. The initial seed is

x0 = x2 (mod n)
= 8845298710478780097089917746010122863172.

The values for x i , 12, ■• •ig are

H = 7118894281131329522745962455498123822408
z2 = 3145174608888893164151380152060704518227
i3 = 4898007782307156233272233185574899430355
xA 5 3935457818935112922347093546189672310389
x5 = 675099511510097048901761303198740246040
a:6 = 4289914828771740133546190658266515171326
xT = 4431066711454378260890386385593817521668
xa = 7336876124195046397414235333675005372436.

Taking the least significant bit of each of these, which is easily done
by checking whether the number is odd or even, produces the sequence
,68 = 0, 1, 1, 1, 0, 0, 0, 0. ■

The Blum-Blum-Shub generator is very likely unpredictable. See (Blum-

Blum-ShubJ. A problem with BBS is th a t it can be slow to calculate. One
way to improve its speed is to extract the k least significant bits of Xj. As
long aa k < log2 log2 n, this seems to be cryptographically secure.

2.11 Lineal’ Feed back Shift R egister Sequences

N o te : I n th is se c tio n , all co n g ru e n c e s a r e m o d 2.
In many situations involving encryption, there is a trade-off between speed
and security. If one wants a very high level of security, speed is often sac­
rificed, and vice versa. For example, in cable television, many bits of d ata
are being transm itted, so speed of encryption is im portant. On the other
hand, security is not usually as im portant since there is rarely an economic
advantage to m ounting an expensive attack on the system.
In this section, we describe a method th a t can be used when speed is
more im portant than security.
44 C h a p t e r 2. C l a s s ic a l C r y p t o s y s t e m s

The sequence

01000010010110011111000110111010100001001011001111

con be described by giving the initial values

Xi = 0, $2 = 1, X3 = 0,11 = 0, 15 — 0

and the linear recurrence relation

$n+B = i „ + x„+2 (mod 2).

This sequence repeats after 31 terms.

More generally, consider a linear recurrence relation of length m:

£n+m — cqIti + Ci£n+i Cjji—i x n+m^ j (mod 2),

where the coefficients Cq, cl, . . . are integers. If we specify the in itia l v alu es

£2>. • ., x m,

then all subsequent values of x n can be computed using the recurrence.

The resulting sequence of 0s and Is can be used os the key for encryption.
Namely, write the plaintext as a sequence of 0s and Is, then add an appro­
priate number of bits of the key sequence to the plaintext mod 2, bit by bit.
For example, if the plaintext is 1011001110001111 and the key sequence is
the example given previously, we have

(plaintext) 1011001110001111
(key) + 0100001001011001
(ciphertext) 1111000111010110

Decryption is accomplished by adding the key sequence to the ciphertext in

exactly the same way.
One advantage of this method is th a t a key with large period can be
generated using very little information. T he long period gives an improve­
ment over the Vigenere m ethod, where a short period allowed us to find the
key. In the above example, specifying the initial vector {0,1, 0,0, 0} and the
coefficients {1,0,1, 0, 0} yielded a sequence of period 31, so 10 bits were used
to produce 31 bits. It can be shown th a t th e recurrence

$ n +31 = X n + X „+ 3

and any nonzero initial vector will produce a sequence th a t has period 231 —
1 = 2147483647. Therefore, 62 bits produce more than two billion bits of
2 .1 1 . L F S R S e q u e n c e s 45

P la in te x t

F igure 2.1: A Linear Feedback Shift Register Satisfying zm+3 = xm+1 + i m.

key. This is a great advantage over a one-time pad, where the full two billion
bits m ust be sent in advance.
This method can be implemented very easily in hardware using w hat is
known as a lin e a r fe e d b a c k s h ift re g is te r (LFSR) and is very fast. In
Figure 2.1 we depict an example of a linear feedback shift register in a simple
case. More com plicated recurrences are implemented using more registers
and more XORs,
For each increment of a counter, the bit in each box is shifted to other
boxes as indicated, with © denoting the addition mod 2 of the incoming
bits. T he output, which is the bit x m , is added to the next bit of plaintext to
produce the ciphertext. T he diagram in Figure 2.1 represents the recurrence
i m+3 = x m+i + x m. Once the initial values x \, in , $3 are specified, the
machine produces the subsequent bits very efficiently.
U nfortunately, the preceding encryption method succumbs easily to a
known plaintext attack. More precisely, if we know only a few consecutive
bits of plaintext, along with the corresponding bits of ciphertext, we can
determine the recurrence relation and therefore com pute all subsequent bits
of the key. By subtracting (or adding; it’s all the same mod 2) the plaintext
from the ciphertext mod 2, we obtain the bits of th e key. Therefore, for
the rest of this discussion, we will ignore the ciphertext and plaintext and
assume we have discovered a portion of the key sequence. Our goal is to
use this portion of the key to deduce the coefficients of the recurrence and
consequently com pute the rest of the key.
For example, suppose we know the initial segment 011010111100 of the
sequence 0110101111000100110101 111. . . , which has period 15, and suppose
we know it is generated by a linear recurrence. How do we determine the
coefficients of the recurrence? We do not necessarily know even the length,
so we s ta rt with length 2 (length 1 would produce a constant sequence).
Suppose the recurrence is i n+2 = co$n + Ci2n+1. Let tl = 1 and tl = 2
and use the known values x i = 0, 2:2 = 1, X3 = 1,$4 = 0. We obtain the
<16 C h a p t e u 2. C l a s s ic a l C r y p t o s y s t e m s

e q u a tio n s

1 = c0 ■0 + ci • 1 (n = 1)
0 = co ■1 + Ci ■ 1 (n = 2).

In matrix form, this is

The solution is co = l , c \ = 1 , so we guess that the recurrence is z „ + 2 =

x „ + x n+i. Unfortunately, this is not correct since xq ^ s ,| + 25 ■ Therefore,
we try length 3. T he resulting m atrix equation is

The determ inant of the m atrix is 0 mod 2; in fact, the equation has no
solution. We can see this because every column in the m atrix sums to 0
mod 2 , while the vector on the right does not.
Now consider length 4. The m atrix equation is

The solution is co = l ,c i = 1 ,C2 = 0, C3 = 0. T he resulting recurrence is

now conjectured to be
-Cn + <1 — 4 " ^ n+ l*

This generates the remaining elements of the piece of key th a t we already

know, so it is our best guess for the recurrence that generates the key se­
quence. In fact, a quick calculation shows th a t this is the case, so we have
found the recurrence.
The general situation is as follows. To test for a recurrence of length m,
we assume we know x t , x 2, . . . , X2m- The m atrix equation is

We show later th at the m atrix is invertible mod 2 if and only if there is no

linear recurrence of length less than m that is satisfied by i i , xn, ■■•,
2.11. LFSR S e q u e n c e s 47

A strategy for finding th e coefficients of the recurrence is now clear.

Suppose we know the first 100 bits of the key. For m = 2 , 3 ,4 , .. ., form the
m x m m atrix os before and compute its determ inant. If several consecutive
values of m yield 0 determinants, stop. The last m to yield a nonzero (i.e.,
1 mod 2) determ inant is probably the length of the recurrence. Solve the
m atrix equation to get the coefficients Co,. . . It can then be checked
whether the sequence th a t this recurrence generates matches the sequence
of known bits of the key. If not, try larger values of m .
Suppose we don’t know the first 100 bits, but rather some other 100
consecutive bits of the key. T he same procedure applies, using these bits as
the starting point. In fact, once we find the recurrence, we can also work
backwards to find the bits preceding the starting point.
Here is an example. Suppose we have the following sequence of 100 bits:
10011001001110001100010100011110110011111010101001
01101101011000011011100101011110000000100010010000.
T he first 20 determ inants, starting with m = 1 , are

1 , 0 , 1 , 0 , 0 , 1, 0 , 1, 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 .

A reasonable guess is that m = 8 gives the last nonzero determ inant. When
we solve the m atrix equation for the coefficients we get

{C0 ,C ,,...,C 7} = { 1 , 1, 0 , 0 , 1, 0 , 0 , 0 },

so we guess th a t the recurrence is

-^ r i f'fi — T-n 4 .1 -

This recurrence generates all 100 term s of the original sequence, so we have
the correct answer, at least based on the knowledge th a t we have.
Suppose th a t the 100 bits were in the middle of some sequence, and we
want to know the preceding bits. For example, suppose the sequence starts
w ith i n , so i n = 1, x xg = 0, Xig = 0 ,___W rite the recurrence as

Xn = Xn-j-i + Xn+4 4" Xn+g

(it might appear th a t we made some sign errors, but recall th a t we are
working mod 2, so —xn = x n and —x n+8 = x„+e). Letting n = IC yields

X lfi = X n + X 20 + X 2.|
= 1 + 0 + 1 = 0.

Continuing in this way, we successively determine Xi5 ,x t.|....... x \.

We now prove the result we promised.
48 C h a p t e r 2 . C l a s s ic a l C r y p t o s y s t e m s

P r o p o s i t i o n . Let x i, X2 , 2 :3 , . . . be a sequence o f bits produced by a linear

recurrence mod 2. For each n > 1, let

Let N be the length oj the shortest recurrence that generates the sequence
z i , X 2,X3 , ___ Then d e t( M/ t ) = 1 (mod 2) and d et( Mn) = 0 (mod 2) fo r
all n > N.

Proof. We first make a few remarks on the length of recurrences. A se­

quence could satisfy a length 3 relation such as i n+3 = z n+ 2 - I t would
clearly then also satisfy shorter relations such as i n+ i = x n (at least for
n > 2). However, there are less obvious ways th a t a sequence could sa t­
isfy a recurrence of length less than expected. For example, consider the
relation xn+,i = x n + 3 + xn+i + x n- Suppose the initial values of the se­
quence are 1, 1, 0, 1. T h e recurrence allows us to com pute subsequent terms:
1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 1 ---- It is easy to see th a t the sequence satisfies
Xn+-2 = -En+l Xn .
If there is a recurrence of length N and if n > N , then one row of the
m atrix M n is congruent m od 2 to a linear combination of other rows. For
example, if the recurrence is z n + 3 = xn+2 + x„, then th e fourth row is the
sum of the first and third rows. Therefore, det(A/n) = 0 (mod 2) for all
n> N.
Now suppose det(M jy) = 0_(mod 2). Then there is a nonzero row vector
b — (6q, . . . , such th a t bM ^ = 0. W e’ll show th a t this gives a re­
currence relation for the sequence 1 1 , 1 2 , 1 3 1 • • ■ and th a t the length of this
relation is less than N . This contradicts the assum ption th a t N is smallest.
This contradiction implies th at det(M/v) 3 1 (mod 2).
Let the recurrence of length /V be

For each i > 0, let

2.11. LFSR S e q u e n c e s 49

Then A/(°) = M at. The recurrence relation implies that

which is the last column of A/(|+1).

By the choice of b, we have 6A/W = bMw ~ 0. Suppose that we know
that bM W = 0 for some i. Then

Therefore, b annihilates the last column of A-/(1+1). Since the remaining

columns of A-/(1+1) are columns of A'/W, we find that 6A/(*+I) = 0. By
induction, we obtain tjJV/M = 0 for all i > 0.
Let n > 1. The first column of A'/(n-1) yields

lo in + tllTn+l H----h 6jV-lXn+/V-l = 0.

Since 6 is not the zero vector, bj j ^O for at least one j . Let m be the largest
j such that bj / 0, which means that bm = 1. We are working mod 2, so
bmxn+m- i — —Xn+m-i. Therefore, we can rearrange the relation to obtain

Xn+m—1 — "i“ b\ -|-‘ ‘ • ■

+■

This is a recurrence of length m —1. Since m —1 < Ar, and N is assumed to

be the shortest possible length, we have a contradiction. Therefore, the as­
sumption that det(Mjv) = 0 must be false, so det(jV/N) = 1. This completes
the proof. □

Finally, we make a few comments about the period of a sequence. Sup­

pose the length of the recurrence is m . Any m consecutive terms of the
sequence determine all future elements, and, by reversing the recurrence, all
previous values, too. Clearly, if we have m consecutive Os, then all future
values are 0. Also, all previous values are 0. Therefore, we exclude this
case from consideration. There are 2m — 1 strings of 0s and Is of length
m in which at least one term is nonzero. Therefore, as soon as there are
more than 2m — 1 terms, some string of length m must occur twice, so the
sequence repeats. The period of the sequence is at most 2m — 1.
50 C h a p t e r 2. C l a s s ic a l C r y ptosystem s

Associated to a recurrence z n+m = c0x„ + C iin+i H------- h C m -iin+m -i

(mod 2 ), there is a polynomial
f ( T ) = r m - c ^ r " - 1 --------- CO.
If f( T ) is irreducible mod 2 (this means th a t it is not cpngruent to the
product of two lower-degiee polynomials), then it can be shown th a t the
period divides 2m — 1. An interesting case is when 2m — I is prime (these
are called Mersenne primes). If the period isn’t 1, that is, if the sequence is
not constant, then the period in this special case must be maximal, namely
2m —1 (see Section 3.11). The example where the period is 231 —1 is of this
type.
Linear feedback shift register sequences have been studied extensively.
For example, see [Golomb] or [van der Lubbe].
One way of thw arting the above attack is to use nonlinear recurrences,
for example,
*^n+3 = ^n+2*^n -^n+1 •
Generally, these systems are somewhat harder to break. However, we shall
not discuss them here.

2.12 Enigma
Mechanical encryption devices known as rotor machines were developed in
the 1920s by several people. The best known was designed by A rthur Scher-
bius and became the famous Enigma machine used by the Germans in World
War II.
It was believed to be very secure and several attem pts at breaking the
system ended in failure. However, a group of three Polish cryptologists,
Marian Rejewski, Henryk Zygalski, and Jerzy Rdzycki, succeeded in break­
ing early versions of Enigma during the 1930s. Their techniques were passed
to the British in 1939, two m onths before Germany invaded Poland. The
British extended the Polish techniques and successfully decrypted German
messages throughout World War II.
The fact that Enigma had been broken remained a secret for almost 30
years after the end of the war, partly because the British had sold captured
Enigma machines to former colonies and didn't want them to know th a t the
system had been broken.
In the following, we give a brief description of Enigma and then describe
an attack developed by Rejewski. For more details, see for example [Koza-
czuk]. This book contains appendices by Rejeweski giving details of attacks
on Enigma.
We give a basic schematic diagram of the machine in Figure 2.2. For
more details, we urge the reader to visit some of the many websites th at can